Welcome to the SecAware blog

I spy with my beady eye ...

20 May 2006

Microsoft's Security Development Lifecycle

Microsoft’s Trustworthy Computing Initiative involved retraining loads of developers to code with security in mind. Whilst Microsoft's secure development methods generally follow the traditional waterfall approach, take a closer look at the activities immediately preceding release. “During the release phase, the software should be subject to a Final Security Review (‘FSR’). The goal of the FSR is to answer one question. ‘From a security viewpoint, is this software ready to deliver to customers?’ The FSR is conducted two to six months prior to software completion, depending on the scope of the software. The software must be in a stable state before the FSR, with only minimal non-security changes expected prior to release.” In your organization, does independent security testing occur 2 to 6 months before release?! Of course, even this method is not absolutely perfect: at least one buffer overflow vulnerability in Word somehow slipped through the net.

More security-development integration resources

Soot juggling

Being an information security manager in today's complex world of business and technology is a bit like this.

MS Word zero day exploit in the wild

Alerts are circulating about a zero-day attack exploiting a buffer overflow vulnerability in Word XP and Word 2003 (not the free Word document reader, nor Word 2000). The attack seen, to date, appears to have been targeted against a specific organization, dropping a "Trojan with rootkit features" (i.e. it conceals its presence). As usual in these circumstances, the initial information is somewhat vague, mostly third-hand reports, but when SANS ISC and various antivirus vendors pipe up, there's enough smoke to indicate a probable fire. Microsoft's security team confirmed they are on the case through a blog entry, with a patch anticipated on patch Tuesday in June. Meanwhile, our advice for now would be to avoid opening Word documents attached to emails unless the sender is known to you and the content was expected. Also, for good measure, avoid opening Word documents downloaded from web pages on dubious websites - not a bad idea in itself.
More malware resources

19 May 2006


An interesting development of the idea to set up email redirections to mask your real email address comes from SpamMotel. When you set up a new email address, you can enter notes. Emails received at that address automatically have the notes prepended before being forwarded to your real email address. That way, it's simple to record when and why you set up the email address and who you gave it to, so if it gets spammed you know who to blame.
More email security resources

18 May 2006

Blue Frog in the blender

Having interviewed the CEO of Blue Security, Wired is reporting that the anti-spam initiative is shutting up shop in the face of an onslaught of spam and Denial of Service attacks affecting Blue Security's clients and Internet Service Providers as well as the company itself. Although this brings the David and Goliath battle to a sad end, the war against spammers continues. Further concerted action by ISPs and legislative action seems likely. Meanwhile, the spam filtering industry is doing a roaring trade.

Previous blog entry

17 May 2006

Security metrics presentation

Influencing senior management, a presentation on security metrics, gives a good overview of the factors to consider when developing a set of security metrics. The particular examples chosen may not suit every organization but, as examples, they illustrate the kinds of things worth measuring and reporting. The slides touch on Kaplan and Norton's classic 'balanced scorecard' approach but (as so many do) emphasizing 'scorecard' over 'balance'. Still, a worthwhile read if you, like me, are fishing around for useful security metrics.

Disaster management standard

NFPA 1600 is an American standard for Disaster/Emergency Management and Business Continuity Programs - a new one on me but first published in 1995 and most recently updated just a couple of years ago. Four of its 46 pages form the core, the rest being index and appendices with additional explanation. Its stated aim is to "establish a common set of criteria for disaster management, emergency management, and business continuity programs".
More disaster contingency links

11 May 2006

From Blue Frog to frog boiling

An excellent if rather scary summary of the current status of information security at Security Absurdity points out the enormous shadow falling over IT. Reading all the security issues listed in this one article, and cogitating on the amount of work required to fix any one of them, it's quite overwhelming. We're looking forward to the next thrilling installment when the author promises to present The Answer. Can't wait!

More general security resources

Building security in

Software development: Building security in explains six key issues in the software development process that lead to the release of insecure code. Unfortunately, the article does not actually describe the solutions to the six issues identified - that is left as an exercise for the reader - and there is a bias towards the use of testing tools (i.e. technology) to solve the problem. Still, it's a typical perspective, summarized succinctly.

More SDLC-security integration resources

9 May 2006

Google for logs

A log collation and analysis utility called Splunk (tagline "take the SH out of IT") looks like a cool solution for those who need to manage security logs from multiple sources (e.g. Apache, IIS, Windows event logs etc.). Suck all your logs into the database on a convenient spare Linux or Solaris or FreeBSD or MacOs server, and search the whole lot through a Google-like front end. Look for strange events and unusual patterns. Sift the wheat from the chaff. It's a boon for small businesses with budgetarily-challenged sysadmins since it's free for up to 500 Mb of logs per day, while the extended Pro versions look neat too for grown-up enterprises - not least because there's a wiki with answers from the user community to "What's that in my log?"-type questions (a great idea for other software vendors - hint hint). The Splunk FAQ hints at the limitations of alternatives such as Syslog-ng, although the Windows-based Kiwi Syslog syslog concentrator strangely doesn't merit a mention.
More security links for IT Ops

7 May 2006

Shell UK suspends chip-and-pin

BBC News is reporting that Shell has halted the use of chip-and-pin EFTPOS terminals in 60% of its 1,000 UK petrol stations following a £1m fraud. The news article implies that fraudsters may have tampered with Shell's EFTPOS card readers in some way, although they are supposedly tamper resistant devices.
More IT fraud links

Blue Security struggle continues

The Blue Security spam war rages on. An update on the Blue Security website identifies the spammer responsible (he is evidently taunting Blue Security using ICQ) and outlines the methods used to attack Blue Security and its user community. Despite my dire prediction of May 2nd, the Israelis behind Blue Security are valiantly defending their systems against the onslaught and Blue Frog users are evidently hanging in there. Meanwhile, the spammers have taken to spewing out even more spam using Blue Frog users' email addresses as the forged senders' names causing collateral damage in the process. All in all, an ugly situation.
More anti-spam resources

6 May 2006

Australian ID theft kit

An identity theft kit from the Australian Government's National Crime Prevention Programme goes beyond the usual brief fact sheet approach. The 28 page goody pack provides well-written guidance and includes some proforma victim reporting sheets and a checklist.
More ID theft and related links

Best Practices for Secure Development

Best Practices for Secure Development may be 5 years old but the advice is still sound. "Inasmuch as a software project does not start with coding, building security into an application does not start by implementing security technologies. We will suggest an approach recommended by the existing risk management and software building practices." The paper goes on to discuss security aspects up to implementation, stopping short of security operations, controls maintenance and security aspects of end-of-life system retirement/replacement.
More secure software development links

Spycar anti-spyware tester

Spycar comprises a suite of routines designed to mimic various forms of spyware (in a benign fashion, of course) and thereby test your anti-spyware tools. The sequence completes with a scoring and clean-up tool that politely reverts the test changes. Having been created by Ed Skoudis of Counter-Hack fame and colleagues from the SANS ISC, one can be reasonably confident that the tests are both effective and safe. The Spycar name is a tip-o'-the-hat towards the EICAR anti-virus test sequence, an old but still useful means of confirming that your antivirus tools are working. Ed, if you're watching, how about phishcar and Troycar too?
More (anti-)malware links

3 May 2006

Stunning security awareness posters for sale

Thanks to a new deal with a fantastic graphics company, we are delighted to be able to offer professionally-printed security awareness posters at $8 each (plus P&P). NoticeBored customers automatically receive the graphic images at no extra cost and can print their own full color posters, or they can purchase hardcopies directly from Dassign. We hope you like the new designs. Being such stunning images in high quality/high resolution graphics, they are sure to make quite an impact on the audience for your security awareness program.

DTI Information Security Breaches Survey 2006

The latest Department of Trade and Industry/PriceWaterhouseCoopers Information Security Breaches Survey, released at Infosecurity Europe last week, has an excellent reputation as such surveys go. Four fact sheets picking up on topical elements in the report were released early as marketing teasers for the press but as always it is well worth reading and contemplating the main report itself. If you don't have the time to read 36 pages, try the 4-page exec summary for size. We will be publishing a review when our contemplating is done - and not before! There's a lot of good materials to digest.
More thoughts on security awareness

BlueSecurity back on air

The Blue Security story has set tongues wagging on Slashdot. There seems to be a consensus vitriolic loathing of the spammers, as one might expect, but mixed feelings about the value of spamming-the-spammers. Details about the incident itself though are rather sparse at present, although BlueSecurity is defiantly back on the air as I write this, and blogging hard about continuing the fight. They are showing true grit and getting wide support so the fight is far from over yet.

Federal Trade Commission

Some high level simple awareness/guidance notes are available from the Federal Trade Commission. Only a couple at present but there's a chance they might do more I guess.
More awareness links

2 May 2006

Toast the Blue Frog

Further to our blog entry of April 10th, we received the following spam today:
Hey, You are recieving this email because you are a member of BlueSecurity (http://www.bluesecurity.com). You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally. How do you make it stop? Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again. We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result. By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this. Why are we doing this? Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails. Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails, but do not believe for one second that we will stop this tirade of emails if you choose to stay with BlueSecurity. Just remember one thing when you read this, we didnt do this to you, BlueSecurity did. If BlueSecurity decides to play fair, we will do the same. Just remove yourself from BlueSecurity, and make it easier on you. Sergio Sheldon

Regardless of the veracity of the spammer's claim, regardless of the mechanism of the (alleged) compromise, I for one am not willing to take the risk. Blue Security is toast. Bye bye blue frog.

1 May 2006

NoticeBored this month

Continuing the creativity and innovation that sets us apart from our competitors, the latest NoticeBored Classic security awareness module takes a cradle-to-grave view of the Systems Development Life Cycle and explains how information security should be integrated into the process. We delivered over 40 megs of awareness content to customers last night including 33 double-sided notelets on the kinds of things project managers and developers ought to know about information security, and about the relevance of information security throughout the lifecycle.
Read more about NoticeBored

Faking an entire company

An amazing piece in the International Herald Tribune covers the discovery of a counterfeit operation that faked NEC - not just a few NEC goods, this was a parallel manufacturing and marketing outfit living off the back of the genuine NEC. "Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan." This takes theft of intellectual property to a new level.
More intellectual property links